After last update of antivirus engine (Feb 24, 2019), i recive alert "System: Antivirus scanner found a threat (Doc.Malware.Sagent-6865733-0)" on every winword document with .doc ext stored on NAS.
I am getting the same thing on many of my Word doc files. I took one of them and uploaded it to VirusTotal. It was scanned by 59 different virus programs, including Symantec, AVG, Avast, McAfee, ZoneAlarm, TrendMicro, and a number of other well known names. It passed on all of them except for ClamAV, which I understand is used by the Netgear NAS. Mine is a ReadyNAS 2120 and now believe this is a false positive since it is hitting a lot of my files that have been on the device for some time, some for years, without detection and are not actively being used/updated.
It would be nice to find out how to fix the problem, other than waiting for another antivirus update since it is filling up the logs and keeps sending me emails of them all. I suppose I can stop the alerts but then I potentially won't know about something else that might happen.
Just wanted to provide another update. I turned off sending emails in the ReadyNAS for virus infections for now to prevent the flow of files it thinks are infected coming to my mailbox. I also submitted a false positive report to ClamAV, using this link:
If you are experiencing this problem and verified it appears to be a false positive, you may want to do the same. It seems like that to me when 58 programs pass it as fine and only ClamAV says it is infected.
Latest update, the virus definition file on my ReadyNAS was updated yesterday at 2:45pm PST to version 58.25371 but that did not make a difference. There are still a whole slew of entries in the log file indicating word docs are infected. I ran one of the new files it identified as malware through Virus Total and it passed all scanners, including ClamAV so at this point I assume my device just doesn't have the most recent file definitions that properly detects this. I will monitor the logs to see when the virus definition file gets updated and if the reports of this stop.
I also just started receiving hundreds of alert emails saying the exact same thing:
Antivirus scanner found a threat (Doc.Malware.Sagent-6865733-0) in the file /data/xxxxxx. Please delete the infected file soon.
These files have been on my system for 5-10+ years and many have not been accessed for the same amount of time. It's driving my inbox crazy and I triple checked some files. Nothing appears to be suspicious.
Model: RN524X|ReadyNAS 524X Premium performance Business Data Storage
Same issue. I actually scanned the files with ClamXAV, which is a macOS frontend for ClamAV, and the files were shown to be clean. So I'm not sure what's going on. But the alerts are driving me a bit mad too.
Hi again. Good news, yesterday I updated the firmware to my NAS and for 24hrs+ the have been no more alerts. My email is quiet again! As far as I tell, that had been the only change I have made. Firmware update was not significantly, went from 6.9.4 to 6.9.5 (I think). Maybe it has paused and I'll eat me words tonight, but I have given it more than 24hrs and so far so good.
@GKCanada wrote: Hi again. Good news, yesterday I updated the firmware to my NAS and for 24hrs+ the have been no more alerts. My email is quiet again! As far as I tell, that had been the only change I have made. Firmware update was not significantly, went from 6.9.4 to 6.9.5 (I think). Maybe it has paused and I'll eat me words tonight, but I have given it more than 24hrs and so far so good.
Yesterday was released new Antivirus scanner definition updated 58.25372 and resolved exploit (not firmware)
Yesterday was released new Antivirus scanner definition updated 58.25372 and resolved exploit (not firmware)
Certainly it was ClamAV's issue. Upgrading the firmware would trigger apt-get updates though, so it could have gotten the new definitions onto the NAS more quickly.
It looks like my issue may be resolved. It appears for me, a check is done for virus definition updates at 2:45pm PST on a daily basis. Yesterday at that time, a new virus definition file was installed, 58.25372, which appears to have resolved the false positive. Since that was installed I have not seen one entry in the logs for the Doc.Malware.Sagent-686733-0 malware. It looks like this should resolve the problem for those experiencing the issue.
Unfortunately, there is no mechanism to force a check for an updated virus definition file and install it if there is one. That would be a nice addition and not have us wait for the system to do it on its own. Just think about an actual virus or malware infection and having to wait a day when a fix is available to stop an infultration. Not a good way to manage things.
Unfortunately, there is no mechanism to force a check for an updated virus definition file and install it if there is one.
In general, Netgear doesn't provide any controls for ClamAV other than "on" and off". Requests for more options have been on the idea exchange for a couple years now - they were posted immediately after Netgear switched to ClamAV and removed all the configuration controls. So far they've been ignored.
